Your message dated Thu, 13 Jun 2024 10:49:12 +0000
with message-id <e1shi12-00ek51...@fasolo.debian.org>
and subject line Bug#1073126: fixed in composer 2.7.7-1
has caused the Debian Bug report #1073126,
regarding composer: CVE-2024-35242: Multiple command injections via malicious
git/hg branch names
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1073126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: composer
Version: 2.7.6-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for composer.
CVE-2024-35242[0]:
| Composer is a dependency manager for PHP. On the 2.x branch prior to
| versions 2.2.24 and 2.7.7, the `composer install` command running
| inside a git/hg repository which has specially crafted branch names
| can lead to command injection. This requires cloning untrusted
| repositories. Patches are available in version 2.2.24 for 2.2 LTS or
| 2.7.7 for mainline. As a workaround, avoid cloning potentially
| compromised repositories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35242
https://www.cve.org/CVERecord?id=CVE-2024-35242
[1] https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: composer
Source-Version: 2.7.7-1
Done: David Prévot <taf...@debian.org>
We believe that the bug you reported is fixed in the latest version of
composer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <taf...@debian.org> (supplier of updated composer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Jun 2024 08:57:06 +0200
Source: composer
Architecture: source
Version: 2.7.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org>
Changed-By: David Prévot <taf...@debian.org>
Closes: 1073125 1073126
Changes:
composer (2.7.7-1) unstable; urgency=medium
.
[ Jordi Boggiano ]
* Fix Filesystem::isLocalPath including windows checks on linux
* Fix perforce arg not being escaped correctly
* Fix handling of zip bombs when unzipping archives
* Fix UX when a non-required plugin is still present in vendor dir (#12000)
* Fixed PSR violations for classes not matching the namespace of a rule being
hidden, fixes #11957
* Fix new platform requirements from composer.json not being checked when
composer.lock is outdated, fixes #11989 (#12001)
* Fix empty type support in init command, fixes #11999
* Fix secure-http check to avoid bypass using emojis
* Merge pull request from GHSA-v9qv-c7wm-wgmf [CVE-2024-35242]
(Closes: #1073126)
* Merge pull request from GHSA-47f6-5gq3-vx9c [CVE-2024-35241]
(Closes: #1073125)
* Fix windows parameter encoding to prevent abuse of unicode characters with
best fit encoding conversion
* Release 2.7.7
.
[ Krzysztof Ciszewski ]
* composer#11852 fix: ability to remove autoload* keys (#11967)
* Fix composer error when git config safe.bareRepository is set to explicit
(#11969)
.
[ Dan Wallis ]
* Close style tags to avoid bleed (#11972)
.
[ Sam B ]
* To enable to the TransportException code to be accessed in PHP < 8.1, make
reflection property accessible (#11974)
Checksums-Sha1:
55aca5600abdbd45498865f7af3876d8972353f7 2222 composer_2.7.7-1.dsc
1b10df781006ec5fe80d12a84ac949010a33884d 665056 composer_2.7.7.orig.tar.xz
69d8ff242b76424a4648748b6bed85d167e51ab4 18056 composer_2.7.7-1.debian.tar.xz
b10b9ea66f5a87713edd594f2c65a8106219cae1 9311 composer_2.7.7-1_amd64.buildinfo
Checksums-Sha256:
fb6beed1282431d19d51838c6b43e8b12745ecf1ed93ebb3db68bbd1f51e627f 2222
composer_2.7.7-1.dsc
000306b9e45380ad5c9a0a740d1959e6acfa21ff9ebf5dee3d906293c829f8a7 665056
composer_2.7.7.orig.tar.xz
d5366cfc29c9296561ece67cfac7ee62e5c7106d118e956c30826d6a02a9a074 18056
composer_2.7.7-1.debian.tar.xz
ef634e021d4d665f82b4572f3a3db049dfa93dca8a238b2890dacca1576219fc 9311
composer_2.7.7-1_amd64.buildinfo
Files:
07081042b7bcbdd3f36b0a692f548182 2222 php optional composer_2.7.7-1.dsc
a6a86604caf8cbf56a2f5c5a6c0b0601 665056 php optional composer_2.7.7.orig.tar.xz
a0f5f26c067d7e1b9a12cc8f8acb2b90 18056 php optional
composer_2.7.7-1.debian.tar.xz
3c442f3dbd3fb4ea7537514f7eabab2e 9311 php optional
composer_2.7.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCAAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmZqyR4SHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08f/cH/i48iyXQkJf3jFCuhF0NBttRqgbImgAe
4mbn0qGseFWa5OtmlJUefBjtP2EdrynFfOablM/Poc340/68knz35uuhq+lJMwxk
wZ+CFjdJw/ad6YWgx6E5LX3q/W836gxefOphOBqhTUZRPClQ2kbeRGEaTJM2E09o
KM3XJTcJX9B9yElK287ygJqj4E+aZv71GC63aVnllQlu/cA3BJW8Jwe+7qDpDhBB
vGwZAPsoRnMbHMNOadVvYaQmU7GByMfqfPCVpnMcefXeFd9jgdsCP4yPt9JuW76p
koge4Roy/Hj/N2FdU1yNnb1J/JaH+P5fQ31X1oY8S9ZOwuYpBUr+gWI=
=nORV
-----END PGP SIGNATURE-----
pgpR5q891IZgN.pgp
Description: PGP signature
--- End Message ---
